New York SHIELD Act and Small Business Cybersecurity

Even though the City that doesn’t sleep seems a little sleepy, compliance and regulation still don’t. One of the newest laws to hit the books for New York businesses was the SHIELD (Stop Hacks and Improve Electronic Data-Security) Act. This law went into affect on March 21, 2020, while we were all trying to get our employees a way to work from home.

The SHIELD Act requires anyone (business or person) licensing information that includes private information of a resident of New York to implement and maintain “reasonable safeguards” to protect that information. What is included in private information could be the username or email address in combination with a password that would gain access to an account or any personal information including social security number, drivers license number, other government ID number, credit or debit card information, other financial account numbers, biometric data, etc.

However, if this information is protected through encryption and the encryption key used to protect the information was not lost or leaked in the process, this data does not apply. If this data is also available from a government record, it also is except.

Any small business (less than fifty employees, under $3m in Gross annual revenue, or less than $5m in assets) is compliant if it maintains reasonable administrative, technical and physical safeguards that are appropriate to the complexity and size of the business, the nature of its activities, and the sensitivity of the information it collects. Also, if the business is already in compliance with GLBA, NYC RR 500, or any other data privacy rules/regulations administered by the State of New York or the Federal Government.

Businesses covered by this law may be liable for penalties up to $5,000 per violation.

The act sets out to assign some guidelines about what these safeguards should include:

Administrative Safeguards

The Act stipulates that one or more employees should be assigned to coordinate the security program, identify reasonably foreseeable internal and external risks, assess how sufficient the safeguards in place are to control these identified risks, train and manage employees in the security program’s practices and procedures, select appropriate service providers capable of maintaining these safeguards, and adjust the program as needed to business change.

What it doesn’t specify is if an outside third party can act as this coordinator. It specifically says employee. In other regulations, its common to allow a third party to be the data privacy officer or similar position.

Technical Safeguards

The SHIELD Act requires the business to assess the risks in the design of its network and the software it uses; how information is processed, transmitted and stored; detect, prevent and respond to attacks and system failures, and regularly test and monitor the effectiveness of key controls, systems and procedures.

Physical Safeguards

Businesses must assess the risks of information storage and disposal, detect, prevent, and respond to intrusions, protect against unauthorized access or use of private information during or after the collection, transportation and destruction, or disposal of the information, and dispose of private information within a “reasonable amount of time” after it is no longer needed for business purposes by erasing electronic media so that the information cannot be reconstructed.

Is your cybersecurity program following a framework?

If your business is following a security framework such as the NIST Cybersecurity framework, CIS 20, or the meta-framework Secure Controls Framework, you are likely all set. You can easily map the work you are already doing to this regulation and see that you mean all of the requirements. These frameworks provide a blueprint of how a security program can be structured so that as new regulations come out (and they will) your business is ready while your competitors are scrambling to piece together policies to make a square peg go into a round whole.

More and more regulations are codifying the basic tenants that these frameworks stipulate. The homage to the NIST Cybersecurity framework in the technical safeguards section of this Act, is a clear result of this. If you are looking for a way to jump start your security program, need help in deciding which framework to base your security on, give us a ring. We’d be happy to help guide your business to a more secure future.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT

Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.